Digital Signatures with Quantum Candies

Abstract

Quantum candies (qandies) represent a type of pedagogical simple model that describes many concepts from quantum information processing (QIP) intuitively without the need to understand or make use of superpositions and without the need of using complex algebra. One of the topics in quantum cryptography that has gained research attention in recent years is quantum digital signatures (QDS), which involve protocols to securely sign classical bits using quantum methods. In this paper, we show how the “qandy model” can be used to describe three QDS protocols in order to provide an important and potentially practical example of the power of “superpositionless” quantum information processing for individuals without background knowledge in the field.

1. Introduction

Quantum information processing (QIP) has been an intensively studied field in the academia ever since Feynman originally proposed the idea of quantum computing in 1982 [1] and to this day. In the most recent decade, even many technology companies in the industry (including Google, IBM, Intel, Microsoft, Alibaba, and others) directed increasing resources towards quantum computing and communication research and development.

Currently, one of the most prominent research directions in QIP (and specifically in quantum cryptography) is the topic of quantum digital signatures (QDS). Before we discuss QDS, we briefly mention the historical background and motivation to QDS-classical digital signatures. The idea of digital signatures was first proposed by Diffie and Hellman [2] in 1976. The goal is to allow Alice to digitally sign a message for Bob, such that Alice cannot later repudiate signing the message, and Bob (or any other malevolent party) cannot forge Alice’s signature.

Since then, many classical digital signature schemes have been proposed, including the famous Lamport’s one-time digital signature scheme [3] (which we further discuss in Section 2). The main downside of typical classical signature schemes is that their security relies on unproven computational assumptions, such as the difficulty of factoring large numbers. With the advent of Shor’s algorithm [4], which allows factoring numbers efficiently on a quantum computer, a need arises to come up with digital signature protocols whose security does not rely on such computational assumptions.

In 2001, Gottesman and Chuang [5] first proposed the notion of “Quantum Digital Signatures”. Their general idea was to use qubits instead of classical bits to sign the message, thus, potentially achieving information-theoretically secure signature protocols, similar to QKD protocols, such as [6]. However, Gottesman and Chuang’s proposed scheme serves more as a theoretical base model for QDS schemes and is quite unfeasible to realize physically due to several major shortcomings: 1. The need for costly quantum comparison operations (“SWAP” tests) between distant parties. 2. The need for long-term reliable quantum memory. 3. The need for authenticated quantum channels between the parties (namely, quantum states sent by the sender are received fully identically by the recipient).

Since Gottesman and Chuang’s work, much research has been done in attempts to overcome said shortcomings. In 2006, Andersson, Curty, and Jex [7] came up with a novel coherent state comparison method, as well as a QDS protocol based on this method. The main advantage was that the coherent state comparison is more feasible to physically implement than the SWAP test as it requires only linear optics and photon detectors (which are used to construct a “multiport” comparison device). However, the scheme of [7] still required the usage of quantum memory. Then, in 2014, Dunjko, Wallden and Andersson [8] improved the scheme presented in [7] and proposed a QDS that still required a “multiport” device, yet without the requirement of quantum memory.

Most relevant for our work, in [9], Wallden, Dunjko, Kent, and Andersson (WDKA) proposed several QDS protocols relying on QKD components, allowing for highly realizable protocols without the need for optical multi-ports or quantum memory. One of the protocols in [9] is a “classical” signature protocol that relies on secret shared keys, which may be distributed by QKD methods (protocol P2). Lastly, in [10], Amiri, Wallden, Kent, and Andersson (AWKA) took the “classical” protocol from [9] one step further and proposed a QDS protocol without the need for authenticated quantum channels. Thus, the protocol in [10] may be considered as the modern day “standard” feasible QDS scheme. See also [11] for a detailed review of existing QDS protocols.

Although quantum information processing has gained a great deal of popularity, understanding its fundamental rules requires familiarity with non-trivial concepts from physics and mathematics, such as superpositions, unitary transforms, and complex linear algebra in general. In an attempt to improve accessibility to this important field of science, an idea for a simplified model was first proposed by Jacobs—the “Quantum Candy” model. The model was later greatly expanded and defined in [12,13].

In essence, the “Qandy Model” abandons the notion of quantum bits (qubits) in favor of “Quantum Candies” (qandies)—mystical candies that, similarly to classical bits, only have a discrete set of possible states, but unlike classical bits do behave essentially “quantumly”. It is shown and discussed in [12,13], that many concepts from QIP, and especially quantum cryptographic protocols, can be interpreted and defined in the qandy model. However, not many quantum-information protocols can be defined without using superpositions, unitary transformations, and phases.

In other words, a limited, “superpositionless” variant of quantum theory may be useful for some non-classical features yet not for others. We note that, even though many ideas and algorithms from quantum theory cannot be implemented using the qandy model (for example, anything that inherently relies on superpositions and its mathematics, such as the Deutsch–Jozsa algorithm [14]), the qandy model is not contained in quantum theory; as discussed in [13], certain beyond-quantum phenomena such as non-local boxes can be explained using the qandy model.

In this paper, our goal is to present quantum digital signature protocols with QKD components, relying on [9,10], using qandies instead of qubits. We discuss three qandy signature protocols and provide basic intuition for their security. Detailed security analysis is left for future research. The paper is structured as follows: In Section 2, we discuss computationally secure classical digital signatures. In Section 3, we present the classical digital signature variant (due to [9]) of the P2 protocol of [9], which is an unconditionally secure signature scheme.

In Section 4, we discuss the qandy model and its basic rules. In Section 5, we present the first proposed qandy digital signature protocol, based on protocol P1 of [9], and provide some remarks and discuss its security. In Section 6, we present and discuss subsequent improvements of the first protocol, namely P2 of [9] and the protocol of [10], and argue that they may be implemented using qandies as well. We finish the paper with our conclusions in Section 7.

2. Computationally Secure Digital Signatures

We begin this section by introducing the goals of Digital Signatures (DS) schemes, their usages today and present a definition. We then shortly describe the Lamport’s signature scheme [3]—a simple classical scheme that is based on the concept of one-way functions (OWF).

2.1. Digital Signatures-Motivation

Let us examine the following scenario: a sender, Alice, sends the message M to the recipient Bob. Is there a way for Bob to ensure that Alice is indeed the sender of M? In other words, can Bob find a way to ensure that a malicious third party, Eve, was not the one sending M in the name of Alice, or did not tamper with its content?

This type of scenario happens frequently in our era of digital communications. For example, during credit card transactions, a bank obtaining a request from one of its clients to transfer money to another account and needs to make sure the request was indeed made by the client. We call this desired property unforgeability.

What happens if Alice made a future promise to Bob through a message M (and signed it) and later on denies that she is the one who signed it? Namely, she claims someone forged her message. In this case, Alice is the dishonest party, and we would like to prevent her from successfully executing such trickery. A digital signature scheme preventing this behavior is said to promise non-repudiation.

Lastly, a good digital signature scheme should promise a recipient who accepted a signature that any other recipient would accept it as well. This property is called transferability. Transferability is closely related to the second property of non-repudiation, and many times these two properties are identical; for example, when a dispute is settled by majority decision. One can also think of bad schemes when the two are not entirely equivalent, for example, when transferability is not promised even when Alice is honest.

2.2. Definition and the Lamport Scheme

The classical digital signature scheme has a conventional, formal definition (the interested readers may see the formal approach in Appendix A). The definition promises that every scheme that meets its requirements will have the three properties mentioned in Section 2.1: unforgeability, non-repudiation, and transferability. For clarity and simplicity, in this paper, we only deal with the following setup: There are three parties, the messages are all one-bit message (0 or 1), and there is at most one dishonest party. We now present the “canonical” example for a secure one-time DS scheme—the Lamport scheme. Instead of proving its security by the formal definition, we will refer to the unforgeability and non-repudiation properties. We will not refer to transferability since in the Lamport scheme (and more generally, whenever a dispute between three parties is settled by majority vote), it is equivalent to non-repudiation.

The Lamport Scheme

The Lamport scheme [3] is a one-time signature scheme based on the usage of a one-way function. Intuitively, a one-way function is a function that is easy to calculate but difficult to invert, i.e., for any input x, one can efficiently calculate $H\left(x\right)$, but it is difficult to find $x^{\prime }$ such that $H\left(x^{\prime }\right)=H\left(x\right)$, given only $H\left(x\right)$. The Lamport scheme can be viewed as a parallel to the one-time pad (OTP) scheme used in symmetric key encryption, for it is arguably the simplest application of a DS scheme given a OWF. There is however an important difference between the two: the OTP scheme does not require any assumptions for it to be information-theoretically secure, while the Lamport scheme uses a one-way function. The existence of such functions has yet to be proven (though there are some candidates, see [15]), which makes the Lamport scheme only possibly computationally secure.

We present a version of the Lamport scheme for one-bit messages. We also repeat this explanation in a formal way and using formal definitions in Appendix A.

Let Alice be the sender of a message $m\in \{0,1\}$, Bob the recipient and Charlie the arbiter in the case of dispute between Bob and Alice. Let $H:{\{0,1\}}^n\to {\{0,1\}}^n$ be a one-way function.

• Private key generation For each value of $b\in \{0,1\}$, Alice generates a random string $X_b\in {\{0,1\}}^n$. Both $X_b$ serve as the private keys of Alice.
• Public key distribution For each value of b, Alice calculates and publicly announces $P_b=H\left(X_b\right)$. Both $P_b$ serve as the public keys.
• Signed messaging If Alice wishes to send Bob a signed one-bit message m, she sends $(m,X_m)$. I.e., the signature of the message m is ${\sigma }_m=X_m$ (Note that in this construction, $sk=[{\sigma }_0,{\sigma }_1]$).
• Verification When receiving $(m,X_m)$ from Alice, Bob (who knows H and $P_m$) accepts the message if and only if $H\left(X_m\right)=P_m$.
• Arbitration A dispute occurs when Bob claims Alice sent a message m, and Alice denies it. If Bob is dishonest, this is the forgery attempt case. If Alice is dishonest, this is the repudiation attempt case. A dispute is settled in the following way: Bob sends Charlie the value of $X_m$ he claims he received from Alice, $X_m^B$. Charlie then checks if $H\left(X_m^B\right)=P_m$, and if so, he declares Alice as the dishonest one. If not, he declares Bob as the dishonest one.

Unforgeability is guaranteed since, if H is a one-way function, Bob will not be able to find such $X_m^B$ (within reasonable time). Non-repudiation is guaranteed for the same reason: if Bob managed to present such $X_m^B$, then he definitely received it from Alice.

3. One-Time Pad Signatures

One-time pad (OTP) is the popular name for the one-time pad cipher also known as the Vernam cipher or the Vernam code. There is some ambiguity regarding those terms, and thus we clarify here precisely what we mean: Vernam cipher or OTP cipher is the use of a random string of bits pre-shared by a sender Alice and a receiver Bob, named the “pad”, to send secret strings (of length equal to the length of the pad), by using the bit-wise XOR operation between bits of the pad and bits of the secret message. It is crucial for the security of the transmitted secret that the pad is only used once—hence the term one-time pad.

We refer here to the random and pre-shared pad as the OTP, and we present a signature algorithm invented by WDKA [9], which we name one-time pad signature (OTP-S). The paper [9] relies, in their protocol P2, on quantum key distribution for generating the OTP itself. However, we can ignore, for now, the quantum portion of the protocol if we assume that the OTP is already shared between each pair of users.

The OTP-S of [9] is not the first unconditionally-secure signature scheme, and earlier ones were suggested [16,17,18]. Here is a quote from the Discussion section in [9]: “P2 differs because it is an information-theoretic-secure classical digital signature scheme relying only on secret shared keys, without further assumptions, such as a trusted third party or authenticated broadcast channels [16,17,18]. This illustrates how novel classical protocols can arise inspired by quantum information science”.

3.1. Protocol Assumptions

As before, we assume three parties, Alice, Bob and Charlie, and arbitration is required if Bob provides a document (one bit in our case) claiming it is signed by Alice, and Alice said she did not sign this document. We assume that in this protocol (and all subsequent protocols) the arbiter Charlie is always honest.

Let us assume that each pair of users share in advance random strings (secret classical keys—pads) of any desired length, and that each secret random bit is used just once; hence, it is a one-time pad. However, it is not a one-time pad cipher.

We note that a small number of bits from the pre-shared secret strings can be used for authentication via universal hash functions [19,20]. Thus, we assume that, between each pair of users, there also exists an authenticated classical channel and that each transmission (even via OTP) is authenticated.

3.2. Protocol Specification

We now outline the classical protocol; it is nearly precisely P2 of Section 6.1 but without the quantum parts:

• Private Key Generation For each future message bit $b\in \{0,1\}$, Alice generates two random strings $X_b^B,X_b^C\in {\{0,1\}}^n$ (Total of four strings).
• “Public” Key Distribution For each future message bit $b\in \{0,1\}$, Alice sends $X_b^B$ to Bob and $X_b^C$ to Charlie, using OTP.
• “Public” Key Symmetrization For each future message bit $b\in \{0,1\}$, each of Bob and Charlie decides on a random subset of $n/2$ bits from $X_b^B$ ($X_b^C$) and forwards them (value and index) to the other, using OTP. Bob’s decision on the forwarded subset is independent of Charlie’s.
• Signed Messaging For signing a specific bit $b\in \{0,1\}$, Alice sends Bob the string $(b,X_b^B,X_b^C)$ via an authenticated classical channel.
• Verification Bob accepts Alice’s signature if it matches his key $X_b^B$ and the indices of $X_b^C$ Charlie sent him. As the keys are classical, error-free, and authenticated, we can assume the final shared keys must be fully identical (if the parties are honest).
• Arbitration In case of a future dispute regarding the message content, Bob forwards to Charlie the string $(b,X_b^B,X_b^C)$ he obtained from Alice. Charlie counts the mismatches between Bob’s forwarded keys $(X_b^B,X_b^C)$ versus his key $X_b^C$ and the parts of the key $X_b^B$ Bob sent him in Step 3, and accepts only if:

  (a)

  There is no mismatch between Bob’s forwarded $X_b^B$ and the parts of $X_b^B$ Charlie received from Bob in Step 3.

  (b)

  The number of mismatches between Bob’s forwarded $X_b^C$ and Charlie’s $X_b^C$ is less than $s_v·n$, where $s_v$ is the arbiter’s verification threshold parameter.

  Charlie accepting means he accepts Bob’s forwarded message as valid, i.e., Alice is the dishonest party, and a rejection means Bob’s forwarded message is invalid, i.e., Bob is the dishonest party.

The protocol is proved to be secure against repudiation and forgery for a choice of $0<s_v<1/4$, with the full proof found in [9]. Intuitively, the larger $s_v$ is, the easier it is to successfully forge (by Bob), and the lower $s_v$ is, the easier it is to successfully repudiate (by Alice).

We shall repeat similar steps when discussing P2 in Section 6.1. For the sake of consistency with earlier works [9,10], we keep the internal order of [9], thus presenting protocol P1 prior to protocol P2; but firstly we present quantum candies.

4. Quantum Candies

We now present the notion of quantum candies (or qandies) as presented in [12,13]. The concept of qandies was first proposed by Jacobs [21]—see a detailed description of Jacobs qandies in [12,13]. The Jacobs qandies model can be viewed as a development of the “chocolate balls” model presented by Karl Svozil in several papers (e.g., [22]), although the two models were independently developed. Classically, communication between two parties is executed by transmitting pieces of information called bits, which are simply zeroes and ones.

However, in the world of quantum communication, there are transmissions of qubits, or quantum bits. To create a qubit, one uses a physical system with quantum properties, such as the polarization of photons, and maps the state of the system to a qubit value. This is similar to the classical case, when (for example) a presence of current is mapped to the bit “1”, and absence of current is mapped to the bit “0”. However, due to the laws of quantum mechanics, qubits present extraordinary properties that are very different from the classical world.

Those properties have significant information-theoretic consequences (e.g., the no-cloning theorem), and the notion of quantum candies helps explaining some of those properties in a simple and mathematics free manner [12,13]. In the conference version [12], Jacobs qandies are extended to Lin–Mor qandies—by adding a correlation-generating machine that generates states (of pairs of qandies) resembling entangled states in quantum theory. Furthermore, in [12], it is shown how a naive qandies bit commitment scheme can be cheated using such pseudo-entangled qandies. In the much extended journal version [13], Lin–Mor qandies are further extended to Lin–Mor–Shapira qandies—by adding correlation-measuring machine that can distinguish various fully-correlated states (of pairs of qandies) and furthermore presented protocols for communication and for key distributions relying on such qandies machines.

Imagine two parties, Alice and Bob, who wish to communicate with each other. For simplicity, let Alice be the sender of a message and Bob be the recipient.

We equip Alice with a machine that can generate a special kind of candies, called “qandies”. At any given time, each qandy has exactly one property out of the following options: Green color $\left\{G\right\}$, Red color $\left\{R\right\}$, Chocolate flavor $\left\{C\right\}$ and Vanilla flavor $\left\{V\right\}$. Thus, Alice’s machine has only four buttons: R, G, C, V, which match the properties, respectively.

When receiving a qandy, Bob can either taste it or look at it (but not both at the same time): if Alice prepared a qandy with a certain taste, Bob can taste the qandy, and he will measure that taste, e.g., if Alice pressed the {V} button and Bob decided to taste the qandy, then he will taste vanilla. Similarly, if Alice prepared a qandy with a certain color, Bob can look at the qandy and he will see that color, e.g., if Alice pressed the {G} button and Bob decided to look at the qandy, then he will see a green qandy.

This way Alice can send the qandies to Bob, with one color mapped to the value “0” and the other to the value “1”. Similarly, one taste is mapped to “0” and the other to “1”.

What happens if Alice pressed the {V} button and Bob decided to look at the candy’s color? This scenario is what makes Alice’s qandies so special, and gives them their quantum-like properties that turn them into “qandies”. If Alice prepared a certain property (taste or color) and Bob decided to measure the other property, then he will measure a random outcome (out of the two possibilities for the measured property). Thus, if Alice pressed the {V} button and Bob decided to look at the qandy’s color, he will see Red with probability of $\frac{1}{2}$ or Green with probability of $\frac{1}{2}$.

This means that only the original property prepared by Alice is meaningful, since measuring the other property leads to a completely random outcome. To quote the original paper [12,13]: “The key feature of these qandies is that each single qandy really has only a single specific property. This is one form of what is known as the complementarity principle in quantum physics: if color is defined, taste cannot be defined, and if taste is defined, color cannot be defined. The rule of complementarity applies both to the person (i.e., person/machine) preparing the qandies, and to anyone observing the qandy”.

In particular, as also shown previously in [12] and even more so in [13], the qandy model (i.e., a “superpositionless” variant of quantum theory) is sufficiently strong for presenting interesting features of quantum protocols while being able to fully avoid the usage of superpositions or phases. In the following sections, we will see how these characteristics of qandies allow us to successfully achieve our goal of creating secure signature schemes.

5. A Digital Signature Protocol with Qandies

We now describe a digital signature protocol using quantum qandies. The protocol is a one-time signature protocol for signing a single bit b, based on the P1 QDS protocol of [9]. The protocol has three parties: Alice the signer, Bob the verifier, and Charlie the arbiter. We first present the protocol assumptions, then the protocol steps, and lastly a general discussion of the protocol before moving on to analyze its security.

5.1. Protocol Assumptions

• Alice is in possession of standard qandy generation capabilities: she can create qandies of the four types $\{R,G,C,V\}$. Alice also has an ideal coin, i.e., she can generate random classical bits; such an assumption is automatically satisfied using qandies measuring devices (e.g., generate a color qandy and measure its taste).
• Between each two parties, there exists a lossless but potentially insecure “qandy channel”, namely: for each qandy sent by a sender, some qandy is received by the receiver (although it may be corrupted by noise or eavesdropping activities).
• Bob and Charlie possess standard qandy measurement capabilities: they can either look at or taste the qandies.
• Bob and Charlie possess a “qandy memory” capability, namely they can store received qandies indefinitely and measure them later.
• Between each two parties there exists an authenticated classical channel (using a small number of pre-shared bits); no eavesdropper or noise can change the classical bits sent between the parties.

Notes:

• The assumption in Item 4 is not strictly necessary (the original protocol P1 in [9], does not make it). We later discuss how the protocol may be defined without it, but we make it here to simplify the description.
• In the original protocol in [9], another assumption was made: between each two parties there exists an authenticated quantum channel, i.e., no eavesdropper or noise can change the qandies sent between the parties. We note the implementation of an authenticated quantum channel is a far-from-trivial task [23], and it is unclear whether such an authenticated channel can be implemented using qandies. However, as stated by [9], the requirement of authenticated quantum channels may be dropped if the parties use the first step of most standard QKD technique: the step of comparing measurement results (TEST), after sending quantum states to one another and measuring some of them (and aborting if the effective noise level, $p_e$, is too high). Such a technique may easily be implemented using qandies [12,13], and we thus assume no authenticated “qandy channels” are needed for this protocol.
• Adding TEST somewhat modifies the security analysis to make it more complicated; a detailed analysis is beyond the scope of this paper, and is left for future work.
• We assume that n is very large and thus that the relevant law of large numbers will work well, and any exponentially small tail can be safely neglected.

5.2. Protocol Specification

• Private Key Generation For each future message bit $b\in \{0,1\}$, Alice generates a random string (“private key”) $X_b=(x_1^b,x_2^b,\dots ,x_n^b)$ of characters from the set ‘R’, ‘G’, ‘C’, ‘V’ (each character can be represented by 2 bits). The key length n is the security parameter of the protocol.
• “Public” Key Distribution For each future message bit $b\in \{0,1\}$, Alice creates two copies of qandy strings (“public keys”) $Q_b=(q_1^b,q_2^b,\dots ,q_n^b)$ using her qandy generating machine-each qandy $q_i^b$ according to the private key character $x_i^b$. Alice sends one copy of $Q_b$ to Bob and the other to Charlie.
• “Public” Key Symmetrization For each future message bit $b\in \{0,1\}$:

  (a)

  Bob (Charlie) decides on a random subset of $n/2$ qandies from his copy of $Q_b$ and forwards them to Charlie (Bob), without measuring. The decision on the forwarded subset is independent of the other party.

  (b)

  Bob (Charlie) randomly looks at or tastes each of the $n/2$ qandies he has kept, as well as the $n/2$ qandies received from Charlie (Bob), and writes down the measurement results.

  (c)

  Alice discloses part of the qandies to Bob and Charlie (via an authenticated classical channel), for TEST. There are two TESTs:

  i.

  Between Alice and Charlie, in order to make sure Bob did not attempt to eavesdrop in Step 2 (distribution).

  ii.

  Between Alice and Bob, in order to make sure Alice did not attempt to eavesdrop in Step 3 (symmetrization).

  In both TESTs, both parties choose which indices they want to reveal.

  Bob and Charlie abort the protocol if the noise rate $p_e$ is higher than $s_a-\delta \left(n\right)$. $s_a\ge \delta \left(n\right)$ is the recipient’s verification threshold parameter that depends on the parameters of the qandy channel and equals $\delta \left(n\right)$ in the ideal case. $\delta \left(n\right)$ is a small parameter (function of n), such that the probability of a noise rate higher than $s_a$ on the unmeasured (non-TESTED) qandies is exponentially small. Several additional notes about the TESTs:

  • Both TESTs have to be done with Alice’s participation, because only Alice knows the true values of the qandies she sent and may reveal them to Bob and Charlie as necessary.
  • In the TESTs, qandies with conjugate measurement bases (e.g., Alice sent a color Qandy but Bob tasted it) are removed from the statistics and do not contribute towards the noise rate calculation.

  At this stage, Bob and Charlie do not yet know the indices of the qandies that were received from the other and were not TEST qandies.
• Signed Messaging For signing a specific bit $b\in \{0,1\}$, Alice sends Bob the string $(b,X_b)$ (via an authenticated classical channel)
• Verification At this stage, Bob and Charlie disclose to one another all the indices of the qandies they forwarded in Step 3, via an authenticated classical channel. Bob counts the number of mismatched indices between his measurement results of $Q_b$ from Step 3b and Alice’s candidate private key $X_b$.
  A mismatch for index i occurs when Alice’s private key character $x_i^b$ contradicts Bob’s measurement result for that index: for example, $x_i^b$ is ‘$R$’ but Bob has a measurement that says $q_i^b$ is G. On the other hand, if $x_i^b$ is ‘$R$’ but Bob decided to taste and measured C, then this is not a contradiction as he chose the wrong basis.
  Bob accepts Alice’s signature if the number of mismatches is smaller than $s_a·n$, and rejects it otherwise.
• Arbitration In case of a future dispute regarding the message content, Bob forwards to Charlie the string $(b,X_b)$ he obtained from Alice. Charlie counts the mismatches similarly to Bob, but accepts (i.e., agrees with Bob) only if the number of mismatches is less than $s_v·n$, where $s_v>s_a$ is the arbiter’s verification threshold parameter.

Following are several remarks on the protocol.

5.2.1. No-Cloning of Qandies

In Step 2, the requirement to create two copies of the qandy strings stems from the no-cloning theorem for qandies [12,13]: Bob (Charlie) is unable to copy the qandies he obtained from Alice and send them to Charlie (Bob). This is in contrast to the classical Lamport protocol, where Alice’s public key can be copied as many times as necessary and by anyone. On one hand, this property is a weakness of the quantum/qandy protocol compared to the classical protocol, as the number of recipients must be determined in advance. On the other hand, this is what enables the protocol to be unconditionally secure. If we replace one honest arbiter by several such that a majority of them are assumed to be honest, the issue of potential cloning becomes problematic.

5.2.2. Usage of Memory

In Step 3, the fact Bob and Charlie have a “qandy memory” allows them to select a random subset of $n/2$ qandies in advance to send to the other. In contrast, in the P1 protocol of [9] Bob and Charlie decide randomly and independently for each qandy obtained from Alice whether to measure it or forward it with equal probabilities. The protocol is then aborted if each of them received from the other a number of qandies too far from $n/2$ (up to a certain threshold). Our qandy protocol could be defined analogously, removing the need for “qandy memory”.

5.2.3. Possibilities of Elimination

In Step 3, Bob and Charlie do not exchange the same random subset of qandies, since the choice is made by each of them independently. For large n, after the exchange Bob and Charlie will each have zero copies of $q_i^b$ with probability $1/4$, one copy with probability $1/2$ and two copies with probability $1/4$. This means that, for an index i with zero copies, they cannot eliminate any possible value of the private key and hence have to accept any claim by Alice for that index. On the other hand, for an index i with two copies, they can eliminate at most two possible values of the private key—by looking at the first copy and tasting the second.

5.3. Security Analysis

Security of a digital signature protocol relies on non-forgery (by Bob) and non-repudiation (by Alice). In the following section, we provide a basic intuition for the qandy signature protocol being secure against forgery and repudiation, based on the full analysis of [9] done for quantum case. Since we assume non-ideal/noisy “qandy channels” (either due to natural noise or eavesdropping activity), we discuss the probability of an “honest abort” (following [24]) and discuss the optimal choice of the parameters $s_a,s_v$. Note that the security is information-theoretic; therefore, it does not depend on unproven computational assumptions unlike most currently known classical protocols.

5.3.1. Security against Forgery

For a successful forgery, a cheating Bob has to guess a signature $(b^{\prime },X_{b^{\prime }})$ he did not obtain from Alice, that is consistent with the public key qandies from $Q_{b^{\prime }}$ in Charlie’s possession, i.e., cause less than $s_{v}n$ mismatches with Charlie’s qandies to pass the arbitration step. Due to the symmetrization (Step 3) of the protocol, Charlie has left in his possession $n/2$ of the qandies of each public key $Q_b$. It can be shown that Bob’s best course of action is to perform a minimum-error measurement [25] on his copy of the public key $Q_{b^{\prime }}$, which, in the qandy world, translates to randomly looking at or tasting a qandy. If needed for Step 3, Bob can generate the qandy he observed and forward to Charlie. Such strategy yields a probability of $p_f$ that Bob causes a mismatch between an honest Alice’s private key element and the copy of the qandy left in Charlie’s possession.

Overall, it is shown by [9] that, for $s_v<p_f$, the probability of forgery is:

$$p_{\mathrm{forgery}}\le exp(-c_f{(p_f-s_v)}^{2}n),$$

(1)

for some constant $c_f>0$; thus, the protocol is secure against forgery—as the probability of forgery decays exponentially with the security parameter n.

5.3.2. Security against Repudiation

For a successful repudiation, a cheating Alice has to cause Bob to accept her signature in Step 5 (verification) while Charlie rejects it in Step 6 (arbitration). Even if Alice sends different public keys $Q_b^{\mathrm{Bob}}\ne Q_b^{\mathrm{Charlie}}$ to Bob and Charlie, respectively, Step 3 (symmetrization) ensures that from her perspective, each qandy $q_b^{\mathrm{Bob}},q_b^{\mathrm{Charlie}}$ has equal probability of ending up in either Bob’s or Charlie’s possession. Therefore, Alice does not benefit from sending different public keys to Bob and Charlie.

It is shown in [9] that Alice’s best strategy to repudiate is to send the same public key to both Bob and Charlie (i.e., as in the honest case), but when signing, deliberately choose a signature with $n(s_v-s_a)/2$ mismatches with the public key. Requiring $s_a<s_v$ as mentioned previously, such an attempt yields a probability of repudiation:

$$p_{\mathrm{repudiation}}\le exp(-c_r{(s_v-s_a)}^{2}n),$$

(2)

with some constant $c_r>0$; thus, the protocol is secure against repudiation.

5.3.3. Probability of an Honest Abort

We assumed the “qandy channel” employed by the participants is noisy, either due to natural noise or eavesdropper activity, with probability smaller than $p_e+\delta \left(n\right)$ for a “noise mismatch” caused between Alice’s private key element and Bob’s measurement (estimated by employing TEST on some of the qandies sent in the distribution stage). Intuitively, if Bob’s verification threshold $s_a$ is too low, allowing for less mismatches, a high noise rate $p_e$ will cause Bob to abort many of Alice’s (honest) signatures attempts, even during the TEST in the distribution step of the protocol. Thus, it can be shown [24] that having $p_e<s_a$, we have a probability of honest abort:

$$p_{\mathrm{honest}\text{-}\mathrm{abort}}\le exp(-c_{ha}{(p_e-s_a)}^{2}n),$$

(3)

with some constant $c_{ha}>0$; thus, the protocol is “robust” against honest aborts.

5.3.4. Choosing the Optimal Thresholds

Following [24], with the probabilities of forgery, repudiation, and honest abort in mind, we find that, for our qandy signature protocol, the following relation must hold:

$$0\le p_e<s_a<s_v<p_f.$$

(4)

In order to minimize the probability of any “bad event” (successful forgery, successful repudiation, or honest reject) happening, the parameters $s_a,s_v$ must be chosen such that the distance between each pair of probabilities in Equation (4) is equal. Of course, one may also set the parameters differently (and not symmetrically) if not all the “bad events” are equally important.

6. Alternative Signature Protocols

Given the original constraint of requiring authenticated quantum channels in P1 of [9], an alternative protocol was suggested by the authors-P2. Then, in [10], another protocol was suggested that also avoids authenticated quantum channels, which is an improved version of [9]’s P2, in terms of efficiency.

In this section, we first discuss the P2 protocol and compare it to P1 and then discuss [10]’s and compare it to P2.

6.1. Protocol P2 of WDKA15 with Qandies

As we already clarified, the protocol P2 is, in a sense, a “classical” signature scheme, based on shared secret classical keys. The secret classical keys in P2 are obtained using QKD techniques, and thus the protocol may be implemented using qandies, by applying qandy QKD as described in [12,13]. The protocol steps are almost identical to the steps of OTP-S in Section 3.2; instead of using OTP to obtain secure classical channels, the parties use qandies to implement standard QKD (thus, requiring only an authenticated classical channel), including the classical post-processing steps of TEST, Error correction (EC), and Privacy Amplification (PA).

We now provide several remarks on the protocol and compare it to P1:

6.2. Classical Public Keys

The main difference of this protocol from the P1 protocol of [9] is that it uses classical public keys instead of quantum/qandy keys, and only the method to obtain those keys is quantum/qandy based (see Figure 1). The downside vs. P1 is that, due to employing full QKD (and not just the TEST stage as in P1), Alice may need to send longer strings of qandies to achieve a desired level of security. This disadvantage is later resolved in [10], by replacing the full QKD in the distribution step with a variant that includes just messaging + TEST, essentially shifting the protocol back towards P1 in this sense (see Section 6.5).

6.3. Usage of Memory

In the symmetrization step of the original P2 protocol in [9], Bob and Charlie randomly decide whether to forward each bit of the public key to the other, and abort the protocol if one of them received from the other a number of bits too far from $n/2$. Here we decided to have Bob and Charlie randomly send exactly half the bits to the other, as in our description of P1, in order to simplify the description. Contrary to P1, having Bob and Charlie store their bits in memory here is not difficult to implement, as classical memory is usually a trivial resource.

6.4. Verification Threshold

In the verification step, note that in contrast to P1, we have no threshold $s_a$ and Bob must ensure that all the bits he has in his possession (both from $X_b^B$ and $X_b^C$) match Alice’s declaration. This is because the public keys were distributed with no errors at all over the secure classical channels during the distribution step.

Protocol Security

As the OTP-S protocol is proven secure in [9], and QKD with qandies is secure [12,13], the P2 protocol is also secure.

6.5. Protocol of AWKA16 with Qandies

Following the work of [9], an improved version of P2 was proposed and proven secure in [10]. Ref. [10] is a somewhat “intermediate” protocol between the P1 and P2 protocols of [9].

Similarly to P2, the protocol uses shared classical keys between the participants, with Bob and Charlie each obtaining a different key. The difference from P2 is that instead of employing all stages of QKD to obtain fully identical and fully secret keys, [10] avoid implementing the EC and PA stages during the key distribution step, i.e., only implement the TEST stage, as in P1 (see Figure 1). This allows Alice to send fewer qubits in order to obtain a desired level of security (since no bits are “sacrificed” for EC and PA).

Due to skipping EC and PA, the generated keys are not entirely identical and not entirely secret, but are highly correlated (in fact, as showed by [10], more correlated than with any key an eavesdropper could produce). This enables the signature protocol (which is identical to that of P2 in the rest of the steps) to remain secure, although the security proof is much more complicated in this case and can be found in [10]. We note that in their security proof, [10] assume that it is Bob who is the sender in the QKD of the distribution step to simplify the security analysis of non-repudiation. Regardless, according to [10], it is not mandatory, and the protocol may still work even when Alice is the sender.

Of course, the same protocol may be implemented using qandies—we implement qandy QKD to share the keys between Alice and Bob/Charlie, without the post-processing steps of EC and PA. The rest of the protocol follows analogously.

7. Conclusions

In this paper, we discussed the topic of digital signatures and the qandy model proposed by Jacobs (presented and extended in [12,13]).

Our main idea in the current paper was to use the qandy model to present a simplified version of the P1 quantum digital signature protocol presented by [9]. Then, we showed that the protocols P2 in [9] and the protocol in [10] may be translated to the qandy world as well. We also clearly presented a fully classical method (a classical variant of P2) that is due to WDKA [9], yet its connection to OTP is somewhat hidden in the original paper, and thus we thought it important to highlight here.

The work is meant to serve mostly as a continuation to the ideas presented in [12,13], with the goal of presenting interesting concepts from quantum information science to the unfamiliar reader, focusing on quantum digital signatures. While not many quantum-information protocols can be defined without using superpositions, unitary transformations, and phases, we showed here that it is possible for quantum digital signatures.

We end by proposing several potential future research directions with respect to digital signatures with the qandy model. First, in Section 5.1, we assumed the “qandy channels” used by the parties are perfectly lossless, i.e., no qandies are lost in transmission. An open question is, therefore, the study of “lossy” qandy channels and establishing what kind of digital signatures are achievable over a lossy channel (see, for example, [26]) using qandy communication. In addition, the field of continuous-variable quantum information attempts to employ physical continuous variables towards the task of quantum cryptography and quantum digital signatures in particular [27,28]. Therefore, another potential research direction is the study of whether (and how) the qandy model can extended to enable digital signatures with “continuous-variable qandies”.